| @@ -71,10 +71,10 class ApplicationController < ActionController::Base | |||||
| 71 | elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action]) |
|
71 | elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action]) | |
| 72 | # RSS key authentication does not start a session |
|
72 | # RSS key authentication does not start a session | |
| 73 | User.find_by_rss_key(params[:key]) |
|
73 | User.find_by_rss_key(params[:key]) | |
| 74 |
elsif Setting.rest_api_enabled? && |
|
74 | elsif Setting.rest_api_enabled? && api_request? | |
| 75 |
if |
|
75 | if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action]) | |
| 76 | # Use API key |
|
76 | # Use API key | |
| 77 |
User.find_by_api_key( |
|
77 | User.find_by_api_key(key) | |
| 78 | else |
|
78 | else | |
| 79 | # HTTP Basic, either username/password or API key/random |
|
79 | # HTTP Basic, either username/password or API key/random | |
| 80 | authenticate_with_http_basic do |username, password| |
|
80 | authenticate_with_http_basic do |username, password| | |
| @@ -402,6 +402,15 class ApplicationController < ActionController::Base | |||||
| 402 | def api_request? |
|
402 | def api_request? | |
| 403 | %w(xml json).include? params[:format] |
|
403 | %w(xml json).include? params[:format] | |
| 404 | end |
|
404 | end | |
|
|
405 | ||||
|
|
406 | # Returns the API key present in the request | |||
|
|
407 | def api_key_from_request | |||
|
|
408 | if params[:key].present? | |||
|
|
409 | params[:key] | |||
|
|
410 | elsif request.headers["X-Redmine-API-Key"].present? | |||
|
|
411 | request.headers["X-Redmine-API-Key"] | |||
|
|
412 | end | |||
|
|
413 | end | |||
| 405 |
|
414 | |||
| 406 | # Renders a warning flash if obj has unsaved attachments |
|
415 | # Renders a warning flash if obj has unsaved attachments | |
| 407 | def render_attachment_warning_if_needed(obj) |
|
416 | def render_attachment_warning_if_needed(obj) | |
| @@ -361,6 +361,20 class ActiveSupport::TestCase | |||||
| 361 | end |
|
361 | end | |
| 362 | end |
|
362 | end | |
| 363 |
|
363 | |||
|
|
364 | context "should allow key based auth using X-Redmine-API-Key header for #{http_method} #{url}" do | |||
|
|
365 | setup do | |||
|
|
366 | @user = User.generate_with_protected!(:admin => true) | |||
|
|
367 | @token = Token.generate!(:user => @user, :action => 'api') | |||
|
|
368 | send(http_method, url, parameters, {'X-Redmine-API-Key' => @token.value.to_s}) | |||
|
|
369 | end | |||
|
|
370 | ||||
|
|
371 | should_respond_with success_code | |||
|
|
372 | should_respond_with_content_type_based_on_url(url) | |||
|
|
373 | should_be_a_valid_response_string_based_on_url(url) | |||
|
|
374 | should "login as the user" do | |||
|
|
375 | assert_equal @user, User.current | |||
|
|
376 | end | |||
|
|
377 | end | |||
| 364 | end |
|
378 | end | |
| 365 |
|
379 | |||
| 366 | # Uses should_respond_with_content_type based on what's in the url: |
|
380 | # Uses should_respond_with_content_type based on what's in the url: | |
General Comments 0
You need to be logged in to leave comments.
Login now